b"           U.S. Department of\n                                                                 Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of the                                     Date:    September 13, 2007\n           Report on Controls Over the Enterprise Service\n           Center\xe2\x80\x99s Delphi Financial Management System\n           Report No. QC-2007-072\n\n  From:    Rebecca C. Leng                                                        Reply to\n                                                                                  Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Assistant Secretary for Budget and Programs/\n            Chief Financial Officer\n\n           This report summarizes the results of the review of system security controls over\n           the Department of Transportation (DOT) Enterprise Service Center\xe2\x80\x99s (ESC)\n           Delphi Financial Management System. ESC performs accounting and financial\n           management functions for DOT and other Federal organizations. The system is\n           maintained by Federal Aviation Administration employees at the Mike Monroney\n           Aeronautical Center in Oklahoma City, Oklahoma.\n\n           ESC is one of four Federal Service Providers designated by the Office of\n           Management and Budget (OMB) to provide financial management information\n           system services to other governmental agencies. In addition to serving DOT, ESC\n           supports other Federal entities\xe2\x94\x80the National Endowment for the Arts, Institute of\n           Museum and Library Services, and the Commodity Futures Trading Commission.1\n           OMB requires Federal Service Providers to obtain an independent audit in\n           accordance with the American Institute of Certified Public Accountants\xe2\x80\x99 (AICPA)\n           Statement of Auditing Standards.\n\n           This year\xe2\x80\x99s audit of the DOT ESC Delphi Financial Management System was\n           completed by Clifton Gunderson, LLP, of Calverton, Maryland, under contract to\n           the Office of Inspector General. We performed a quality control review of the\n           audit work to ensure that it complied with applicable standards. These standards\n           include the Generally Accepted Government Auditing Standards and AICPA\xe2\x80\x99s\n\n\n           1\n               The Government Accountability Office will be a new customer of the ESC beginning October 1, 2007.\n\x0c                                                                                                                   2\n\n\nStatement on Auditing Standards 70. In our opinion, Clifton Gunderson\xe2\x80\x99s audit\nwork complied with applicable standards.\n\nThe Clifton Gunderson audit report concluded that management\xe2\x80\x99s description of\ncontrols for the Delphi Financial Management System presents fairly, in all\nmaterial respects, the controls that had been placed in operation as of May 31,\n2007. In addition, the independent auditor concluded that controls, as described,\nare suitably designed and were operating effectively from October 1, 2006,\nthrough May 31, 2007, for all stated control objectives except logical access\ncontrol. 2\n\nSpecifically, Clifton Gunderson found that management has not completed the\nplanned corrective actions to provide reasonable assurance that safeguards for\nlogical access controls have been established to prevent or detect unauthorized\naccess.\n\n    \xe2\x80\xa2 Logical Access Controls Were Not Suitably Designed. Last year, the auditors\n      reported that computer network architecture and vulnerability assessment\n      methodology were not suitably designed to provide adequate logical access\n      controls. 3 Specifically, the Delphi database server resides in a shared network\n      that is not fully controlled by ESC staff. Therefore, ESC\xe2\x80\x99s assessments could\n      not ensure that all known vulnerabilities were identified and corrected.\n      Management should implement protection mechanisms to limit access to\n      Delphi servers by other Aeronautical Center system users. Otherwise, other\n      systems on this network, if not properly secured, could become an entry point\n      of unauthorized access to the Delphi Financial Management System.\n\n        During fiscal year 2007, management made progress in isolating the Delphi\n        Financial Management System servers and related resources on the network.\n        However, the main Delphi servers are not scheduled to move into a better\n        secured environment until May 2008.\n\n    \xe2\x80\xa2 Logical Access Controls Were Not Operating Effectively. Logical access\n      controls were not operating with sufficient effectiveness in the areas of\n      vulnerability assessment, workstation administration, and intrusion detection\n      and reporting. ESC management needs to enforce better control practices in\n      these areas.\n\nGunderson made eight recommendations to DOT management for improving\naccess controls. We agree that implementing these recommendations would\nfurther enhance controls over operations of the Delphi Financial Management\n2\n     The independent auditor\xe2\x80\x99s report is available upon request to current and prospective Delphi user organizations.\n3\n    \xe2\x80\x9cQuality Control Review of the Report on Controls over the Delphi Financial Management System,\xe2\x80\x9d Report Number\n     QC-2006-076, September 29, 2006. OIG reports can be found on our website: www.oig.dot.gov.\n\x0c                                                                                3\n\n\nSystem. The recommendations are listed in the Exhibit to this report. In an\nAugust 30, 2007, response to the Office of Inspector General, the DOT Deputy\nChief Financial Officer concurred with the recommendations and committed to\nimplementing corrective actions (see Appendix).\n\nIn accordance with DOT Order 8000.1C, the corrective actions taken in response\nto Gunderson\xe2\x80\x99s recommendations are subject to audit follow-up. Gunderson is\nperforming additional testing and will provide a follow-up management letter to\nthe Office of Inspector General, reporting whether the control environment has\nchanged significantly between June 1, 2007, and September 30, 2007. After\nreceiving Gunderson\xe2\x80\x99s follow-up letter, we will decide whether additional support,\nincluding target completion dates, is needed for the corrective actions.\n\nWe appreciate the courtesies and cooperation of ESC, the Office of the Secretary\nof Transportation, and Clifton Gunderson representatives during this audit. If you\nhave any questions concerning this report, please call me at (202) 366-1496 or\nEdward Densmore, Program Director, at (202) 366-4350.\n\n\n\n                                        #\n\ncc: Chief Information Officer, DOT\n    Assistant Administrator for Financial Services/CFO, FAA\n    Assistant Administrator for Information Services/CIO, FAA\n    Assistant Administrator for Region/Center Operations, FAA\n    Director, Mike Monroney Aeronautical Center, FAA\n    Martin Gertel, M-1\n    Anthony Williams, ABU-100\n\x0c                                                                                                   4\n\n\n\nEXHIBIT. RECOMMENDATIONS OF CLIFTON GUNDERSON, LLP,\nINDEPENDENT AUDITOR\nThe following recommendations were made by Clifton Gunderson, LLP, in its\n2007 independent auditor report on the DOT ESC Delphi Financial Management\nSystem. DOT Management should implement the following actions to enhance\nDelphi logical and physical access controls.\n\n                                    LOGICAL ACCESS\n1. Ensure that the certification agent in the security certification and accreditation process of the\n   Systems Maintenance Facility (SMF) general support system is an individual, group, or\n   organization that retains an appropriate level of independence and remains free from conflicts\n   of interest.\n\n2. Complete implementing the security enclave that would separate the Delphi servers by\n   placing the servers on their own internal Internet Protocol network. Access to this network\n   should be controlled by firewalls and monitored by intrusion-detection software. In the short\n   run, coordinate patch management and other security features for all agencies that own\n   hardware/software in the Mike Monroney Aeronautical Center data center.\n\n3. Follow DOT and FAA guidelines in determining the level of alerts to be reported to ESC.\n   They should review the current alert thresholds set by the Computer Security Incident\n   Response Center and ensure the IDS is configured based on the Internet Access Point\n   Administrator\xe2\x80\x99s recommendations for the ESC\xe2\x80\x99s environment.\n\n4. Conduct network (internal and external) scans periodically, including scans of System\n   Administrator workstations and terminals. To the extent possible, alternate or rotate scanning\n   software and perform full scans at least quarterly or semi-annually, as resources may permit.\n\n\n                                      PHYSICAL ACCESS\n5. Update SMF documentation to reflect the current responsible parties for administering the\n   SMF.\n\n6. Perform fire drills so personnel are aware of physical security measures and exit procedures.\n\n7. Perform an analysis of all employees with access to the data center and document the\n   justification for this access. Review access frequently and remove permanent access for\n   employees who do not need this access in the daily execution of their duties.\n\n8. Review and assess management progress in implementing closed circuit TV cameras in the\n   Multi-Purpose Building (housing the data center).\n\n\n\n\nExhibit. Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                          5\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n                                     August 30, 2007\n\n\nMEMORANDUM TO:                Rebecca C. Leng\n                              Deputy Assistant Inspector General\n                              for Information Technology and Computer Security\n\nFROM:                         Lawrence I. Neff\n                              Deputy Chief Financial Officer\n\nSUBJECT:                      Management Response to the Information Security\n                              Audit of the Delphi Financial Management System\n\n\nThank you for the Statement on Auditing Standards (SAS) 70 audit of the Department\xe2\x80\x99s\nDelphi Financial Management System, which is hosted and operated by the Enterprise\nServices Center (ESC) in Oklahoma City. We appreciate the Office of Inspector\nGeneral's (OIG) coordination, oversight, and Quality Control Review of Clifton\nGunderson's SAS-70 audit of Delphi.\n\nWe concur in the recommendations and have identified corrective actions to address them\n(copy attached). As in the past, we have worked closely with the auditors throughout this\nyear\xe2\x80\x99s SAS-70 audit to ensure that as any issue was raised, corrective action was taken\nimmediately to mitigate risks and to strengthen Delphi's security controls. Corrective\nactions already taken to enhance Delphi security in response to this year\xe2\x80\x99s SAS-70 audit\ninclude:\n\n\xc2\x83   We have implemented a quarterly full port scan of the Delphi servers. The first full\n    port scan was conducted on June 23 and the next scan is scheduled for September 22.\n    These full port scans are in addition to the many different vulnerability scans that are\n    conducted each month as part of our standard operations, including: (1) twice weekly\n    scans on the Demilitarized Zone (DMZ) hardware, (2) bi-weekly scans on all Delphi\n    servers using Foundstone, and (3) quarterly scans on all Delphi servers using Nessus.\n\n\xc2\x83   All workstations used by Delphi System Administrators, Database Administrators and\n    Application Administrators have had static IP addresses assigned. Vulnerability\n    scans are performed quarterly to ensure that no inappropriate or unpatched software\n    has been installed.\n\nThe following additional corrective action is currently underway:\n\n\xc2\x83   The majority of the Delphi servers have been moved to a separate IP address space\n    (enclave) to facilitate external customer access to the Delphi System. We will move\n    the Delphi production cluster to this enclave as well when we implement our next\n    major hardware upgrade in May 2008.\n\n\nAppendix. Management Comments\n\x0c                                                                                         6\n\n\n\n   Although the Delphi database server currently resides logically in a non-segmented\n   network that is not fully controlled and managed by ESC personnel, this network\n   is a trusted internal government network, which helps mitigate risks. The existing\n   internal network architecture provides standard government IT security protection\n   and controls, such as firewalls and Intrusion Detection Systems (IDS). In addition,\n   the DOT and FAA IT security programs provide for Certification and Accreditation\n   (C&A) of systems, rules of behavior, frequent vulnerability scanning, etc.\n\n   The same controls are applied to systems in the DMZ, which provides an additional\n   layer of network-based firewall protection to segment the DMZ from the internal\n   government network. These protective measures are consistent with industry best\n   practices and comply with Federal, DOT and FAA security program requirements\n   and guidance.\n\n   The ESC has been preparing for some time to upgrade the Delphi infrastructure\n   and hardware to leverage newer, more cost-effective technologies. As part of this\n   upgrade in May 2008, the newly-configured database cluster will be logically isolated\n   to reside in a Virtual Local Area Network (VLAN) with restricted access.\n\nWe appreciate the help you and your staff have provided through the SAS-70 process as\nwe have continued to strengthen the design and implementation of all security controls\nfor Delphi every year, and we look forward to your continuing help and support.\n\nAs a Federal Shared Service Provider (FSSP) designated by the Office of Management\nand Budget (OMB) to provide a state-of-the-art financial system and quality accounting\nservices to other Federal agencies, we are fully committed to ensuring that the Delphi\nFinancial Management System meets or exceeds all information security requirements.\n\nThank you for your continuing support and assistance in this effort.\n\nAttachment: Corrective Action Plan\n\ncc:\nJoann Adam, Phill Loranger, Laurie Howard, Wynne Davis, Hunter Phelps, Arvid\nKnutsen, Wendy Calvin, Lindy Ritz, Stan Sieg, Marshal Gimpel, Sara Smith, Keith\nBurlison, Sandra Schreiner, Jacque Estes, Cheryl Rogers, Mike Myers, Laura Ramoly,\nRobert Stevens\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                     7\n\n\n                                                                         Attachment\n\n                        Corrective Action Plan\n                For the FY 2007 SAS-70 Audit of Delphi\n\nNFR #CO-2:\n\nRecommendation 1. We recommend that the ESC Management ensure that\nthe Certifications Agent/s in the Security Certification and Accreditation process\nof the SMF general support system is an individual, group or organization that\nretain/s an appropriate level of independence and remain/s free from conflicts\nof interest.\n\n       Management concurs with this recommendation. The ESC does assure\n       that the SMF is certified by an independent organization that has no\n       responsibilities for the development, maintenance, support or oversight\n       of the systems they certify, as required by FISMA. To alleviate the\n       appearance of any conflict of interest, per the signatures identified on\n       the certification package reviewed by the auditors, ESC will coordinate\n       a request to the ARC Information Systems Security Manager (ISSM)\n       for appropriate changes to the template by September 28, 2007.\n\n\nRecommendation 2. ESC Management should complete implementing the\nsecurity enclave that would separate the Delphi servers by placing the servers\non their own internal IP network. Access to this network should be controlled by\nfirewalls and monitored by IDS. In the short run coordinate patch management\nand other security features for all agencies that own hardware/ software in the\nMMAC data center.\n\n       Management concurs with this recommendation. The majority of Delphi\n       servers have already been moved to a separate IP address space\n       (enclave) to facilitate external customer access to the Delphi System;\n       the remaining servers will be moved to this enclave when the Delphi\n       hardware is upgraded in May 2008. Combining completion of the security\n       enclave with the hardware upgrade provides the greatest benefits for the\n       costs required. Access to this enclave is initially being controlled utilizing\n       Access Control Lists (ACLs). A determination on the addition of enclave\n       firewalls, based on cost versus added security benefit, will be made by the\n       Delphi Authorizing Official. In the interim, we will continue to coordinate\n       patch management and other security features for all agencies that own\n       hardware/software in the MMAC data center through our service provider\n       agreements.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                 8\n\n\nRecommendation 3. ESC Management should follow DOT and FAA guidelines\nin determining the level of alerts to be reported to ESC. They should review the\ncurrent alert thresholds set by CSIRC and ensure the IDS is configured based on\nthe Internet Access Point Administrator\xe2\x80\x99s recommendations for the ESC\xe2\x80\x99s\nenvironment.\n\n      Management concurs with this recommendation. ESC has controls in\n      place, in accordance with DOT & FAA orders, to prevent unauthorized\n      scanning and intrusion. Per FAA order1370.90, ESC perimeter routers\n      limit CSIRC\xe2\x80\x99s view of the full impact of external scans; therefore, CSIRC\n      would only see a small subset of the scanning activity performed for the\n      SAS-70 audit, and because no improper access was attempted, this did\n      not trigger any alerts (in addition, ESC ACLs are configured to block entire\n      subnets known for inappropriate behavior). The MMAC Internet Access\n      Point Administrator will review the current alert thresholds and ensure the\n      IDS is correctly configured by August 17, 2007.\n\n\nRecommendation 4. Conduct network (Internal and External) scans periodically\nincluding scans of System Administrator workstations and terminals. To the\nextent possible, alternate or rotate scanning software and perform full scans at\nleast quarterly or semi-annually as resources may permit.\n\n      Management concurs with this recommendation. A quarterly full port\n      scan, alternating scanning software, of Delphi servers has been\n      implemented. The first scheduled full port scan was performed on June\n      23, 2007. The next scan is scheduled for September 22, 2007. These full\n      port scans are in addition to the numerous vulnerability scans that are run\n      throughout the month on DMZ hardware (twice weekly) and all Delphi\n      servers (bi-weekly and quarterly scans utilizing alternate scanning\n      software). In addition, all System Administrator, Database Administrator\n      and Application Administrator workstations have had static IP addresses\n      assigned, and vulnerability scans are performed quarterly to identify if\n      inappropriate, unpatched software is installed. The most recent\n      administrator workstation scan occurred on July 25, 2007.\n\nNFR #CO-3:\n\nRecommendation 1. ESC Management should update SMF documentation to\nreflect the current responsible parties for administering the SMF.\n\n      Management concurs with this recommendation. The SMF ISSP was\n      updated in April 2007 as part of the SMF\xe2\x80\x99s annual FISMA Assessment.\n      Appropriate SMF documentation will be updated in the future, as\n      significant changes occur.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                9\n\n\n\nRecommendation 2. Fire drills should be performed so personnel are aware of\nphysical security measures and exit procedures.\n\n      Management concurs with this recommendation. The most recent fire drill\n      was held on May 31, 2007. ESC will coordinate with MMAC Facility\n      Maintenance to ensure routine fire drills are performed in a timely manner.\n\n\nRecommendation 3. Perform an analysis of all employees with access to the\ndata center and document the motive for this access. Review access frequently\nand remove permanent access for employees who do not need this access in the\ndaily execution of their duties.\n\n      Management concurs with this recommendation. An analysis of employee\n      access to the data center will be completed by August 31, 2007. In\n      addition, regularly scheduled quarterly access reviews of employee\n      access to the data center will continue. The next data center quarterly\n      access review will be completed by September 30, 2007.\n\n\nRecommendation 4. Review and assess Management progress in\nimplementing closed circuit TV cameras in the Multi Purpose Building (housing\nthe data center).\n\n      Management concurs with this recommendation, which will be\n      implemented in conjunction with other enhancements to the data center.\n\n\n\n\nAppendix. Management Comments\n\x0c"